The Internet has become ubiquitous as million of users have employed the Internet as a medium of choice for communicating and for sharing information. Due to the success of the Internet, the Internet has also become a medium by which malicious code may be spread to the computer systems of unsuspecting users of the Internet. Once the malicious code has successfully infiltrated a computer system, the malicious code can cause far-reaching damage (e.g., deleting files, rewriting the registry, rewriting the disk space, corrupting hard drives, displaying unsolicited messages, etc.) that may not be limited to one individual computer system but may also spread to other computers that may be on the same network.
A popular method by which malicious code may be spread is by embedding the code onto a web page as a payload. As discussed herein, a payload refers to an executable file that may be downloaded from a website onto a user's computer system. To prevent the spread of malicious payloads, an anti-virus engine may be installed at the gateway host and/or at the individual computer to scan each payload before allowing the payload to be downloaded onto a user's computer system. Once the payload has been scanned, the anti-virus engine may allow the payload to be downloaded if the payload includes no known malicious code. However, if the anti-virus engine detects malicious code, then the anti-virus engine may send a warning message to the user's computer alerting the user of possible malicious code.
The task of scanning each payload is a seemingly endless task since a typical anti-virus engine may perform the scanning function each time the payload is encountered. Thus, the anti-virus engine may have to rescan the same payload each time the payload is encountered by the anti-virus engine. Accordingly, the anti-virus engine may consume a relatively high amount of processing power and bandwidth in order to perform its scanning function.
To reduce the scanning bandwidth requirement, some anti-virus engines may consult with a rating database before performing the scanning function. As discussed herein, a rating database refers to a database that stores data about malicious codes. Traditionally, a rating database may acquire its data by extracting information from external sources, such as from white lists, black lists, rating services, other rating databases, and the like.
For anti-virus engines that makes use of a rating database, the anti-virus engine may query the rating database to determine if the payload is tracked by the rating database as a malicious payload. If the payload is determined to be malicious from the rating database, the anti-virus engine may send a warning message to the user's computer alerting the user of the malicious nature of the payload. However, if the payload is not tracked by the rating database, then the anti-virus engine may scan the payload as aforementioned.
As can be appreciated from the foregoing, the rating database may be limited to the information that may be acquired from external sources. In an example, a user encounters a payload with malicious code; however, the user does not report his experience. Generally, most users may not take the additional time required to report their experience. Thus, the external sources provide, at best, an incomplete list of malicious code. Since only a percentage of existing malicious payloads are tracked in the rating database, the anti-virus engine ends up scanning many payloads that are not tracked in the rating database.
In addition, before a payload may be added to a rating database, each payload may have to be verified. In other word, a candidate payload to be tracked by the rating database may have to be processed by scanning to verify that the payload indeed includes malicious code before the payload can be properly tracked by the rating database. As a result, a relatively large amount processing power and bandwidth may have to be consumed using the prior art approach.